Microsoft Case Shows the Limits of a Data Privacy Law

By Peter J. Henning

July 18, 2016

The battle over the privacy of electronic communications sought in government investigations shifted against the Justice Department last week.

The question is whether a judicial decision preventing investigators from obtaining emails stored abroad will finally push Congress to address just how much protection should be afforded to digital information.

Similar issues surfaced this year in the battle between Apple and the F.B.I. over access to an encrypted iPhone used by one of the attackers in the mass shooting in San Bernardino, Calif.

In the case of Microsoft v. United States, the United States Court of Appeals for the Second Circuit in Manhattan last week dealt a blow to efforts to obtain emails that are held in foreign countries.

The government obtained a warrant under a provision of the Stored Communications Act to gain access to emails in a customer’s account maintained by Microsoft on one of its servers in Dublin. The company refused to turn over the data, arguing that the warrant applied only to materials in the United States and not those held outside the country. The government claimed that where the electronic files were actually stored was irrelevant because the communications were within Microsoft’s control, so the company should be required to produce them.

The case turned on how broadly a court can apply the Stored Communications Act, a law adopted in 1986 as part of the Electronic Communications Privacy Act to give a measure of protection to the then-nascent technology of email. Like almost any 30-year-old law dealing with technology, it is hopelessly out of date because it has not been meaningfully updated by Congress to address how digital information is created and stored.

The Supreme Court has emphasized in the last few years a presumption that American laws should not be applied outside the country unless Congress makes it clear that they extend to extraterritorial conduct. In June, the court reiterated that position in RJR Nabisco v. European Community to limit private lawsuits under the Racketeer Influenced and Corrupt Organizations Act, or RICO, to violations that affect domestic businesses or property.

The Second Circuit read the scope of the Stored Communications Act along the same lines, limiting the application of any warrant to what is within this country’s borders because there was no indication in the statute that Congress wanted the law to permit searches outside the United States.

As a result, the warrants authorized by the statute are much like ordinary search warrants that can be executed only in the United States because American courts do not have the authority to authorize a search abroad.

Of course, digital information does not exist in the same sense that a piece of paper can be found in a specific location. With a few keystrokes, electronic files can be whisked across the globe, and it would have been easy for Microsoft simply to move the information in the customer’s email account to the United States. While the files were in Ireland, that was more a product of how the company chose to store them rather than a conscious decision by the account owner to try to keep them outside the United States.

A concurring opinion by Judge Gerard E. Lynch of the Second Circuit makes it clear that the decision to limit the scope of the warrant resulted from an outdated law, not a choice by Congress to hamstring investigations of foreign conduct that might violate American laws. He pointed out that “there is no evidence that Congress has ever weighed the costs and benefits of authorizing court orders of the sort at issue in this case,” because in 1986 that was simply not an issue.

The whole idea behind cloud storage is that electronic information would be available anywhere, so focusing on a particular server may not reflect how the data is stored and retrieved. The very notion that electronic communications are in one particular country may be unrealistic about what actually takes place with data. Email files can be scattered throughout the world and broken into different parts, and may be shifted almost continuously through a company’s system. This is far from the storage of files in the equivalent of locked cabinets that much of the law seems to envision.

Nor is this Microsoft’s first tussle with the government over the Stored Communications Act. In April, the company filed a lawsuit claiming that secrecy orders issued under the law to prevent providers from notifying customers of demands for their information violated its First Amendment rights along with the Fourth Amendment. So it has taken a harder line in its dealings with the government rather than making an easy accommodation to produce the emails sought in an investigation.

The incentives created by the Second Circuit’s decision are likely to prove highly problematic for investigators dealing with foreign suspects. It could even affect cases involving domestic conduct if communication providers were to read the opinion as authorizing them to shift data overseas to avoid having to produce customer information in an investigation.

Take it a step further by imagining the possibility that a company might offer an email service — perhaps called “Crim Mail” — guaranteeing users that their electronic files would be stored overseas. It could even choose to put servers in a location that is notably hostile to the United States and that would welcome the chance to throw a wrench in law enforcement efforts. The company could charge a premium to have files maintained only in specified locations, making it almost impossible for investigators to ever gain access to them.

No doubt such a series of events is far-fetched, but where there is an opportunity to take advantage of the law, someone may try to pursue it. Recall how the Panama Papers showed that lawyers could exploit gaps in how business entities can be created, with virtually no oversight, to help move money across the globe anonymously.

Judge Lynch ended his opinion with a call for Congress to revise the Stored Communications Act. “I believe even more strongly that the statute should be revised, with a view to maintaining and strengthening the act’s privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it, and clarifying the international reach of those provisions,” he wrote.

A bill introduced in Congress in May would extend the use of warrants for electronic communications of foreign citizens located outside the United States if the country where the data was held did not have a cooperation agreement with the United States to turn over that information.

On the other side, the Justice Department disclosed on Friday that the government was working on agreements with foreign governments to allow them to serve orders on technology companies in the United States to obtain emails and conduct wiretaps, according to The Wall Street Journal. Putting such a system in place would require congressional approval.

There was a push this year to mandate that the government always use a warrant to obtain electronic communications, but opposition from the Securities and Exchange Commission helped scuttle the legislation in the Senate. As a civil regulatory agency, the S.E.C. does not have the authority to obtain a warrant, so it claimed it would be hamstrung in trying to obtain email evidence in its securities fraud investigations.

The limits of the Stored Communications Act are now on full display, and it will be up to Congress to solve the puzzle of how much protection should be afforded to personal communications while allowing investigators to gather evidence. But with Congress in recess until early September, and little prospect of significant legislation in the short time before the presidential election, any major changes will most likely have to wait until after November, and perhaps well into 2017.

The question is whether law enforcement agencies can wait months before learning what is needed to obtain electronic information that may be crucial to proving a crime.

Correction:

An earlier version of this article gave an incorrect first name for a federal judge who issued a concurring opinion in the case of Microsoft v. United States. He is Gerard E. Lynch, not Gerald.